Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add source as parent node in CodeBase::addTaintSource() #11025

Open
wants to merge 1 commit into
base: 5.x
Choose a base branch
from

Conversation

cgocast
Copy link
Contributor

@cgocast cgocast commented Jun 24, 2024

Fixes #10057

@cgocast
Copy link
Contributor Author

cgocast commented Jun 25, 2024

This bugfix is not perfect but it is much simpler than #10206.

@orklah, please can you have a look at this PR ?

@Patrick-Remy
Copy link
Contributor

Maybe both changes are required, in my PR I am also adding massive Taint-related tests and fixing examples.
Anyway, in my PR I still had issues that some taints weren't found where I hadn't found a solution for.
I will check if merging/applying your change into mine will fix the outstanding failing tests!

@cgocast
Copy link
Contributor Author

cgocast commented Jun 25, 2024

Indeed my PR lacks taint-related tests and I agree we should merge your tests.

I am not convinced by the changes you made in the Analyzers. For instance, I was able to raise a TaintedHtml on

<?php // --taint-analysis

$foo = $bad_data;
echo $foo; 

without changing the Analyzers

@Patrick-Remy
Copy link
Contributor

I now had time to test your changes and applied them to my original PR.
At least for me the test you mentioned is still failing.

And moreover, if I undo my other changes and just added the line you added, instead of the single test, 4 tests are failing

vendor/phpunit/phpunit/phpunit tests/Config/Plugin/EventHandler/AddTaints/AddTaintsInterfaceTest.php
PHPUnit 9.6.11 by Sebastian Bergmann and contributors.

Random Seed:   1719848602

FFF.F                                                               5 / 5 (100%)

Time: 00:05.312, Memory: 148.00 MB

There were 4 failures:

1) Psalm\Tests\Config\Plugin\EventHandler\AddTaints\AddTaintsInterfaceTest::testAddTaintsActiveRecord
Failed asserting that exception of type "Psalm\Exception\CodeException" is thrown.

2) Psalm\Tests\Config\Plugin\EventHandler\AddTaints\AddTaintsInterfaceTest::testTaintBadDataVariables
Failed asserting that exception of type "Psalm\Exception\CodeException" is thrown.

3) Psalm\Tests\Config\Plugin\EventHandler\AddTaints\AddTaintsInterfaceTest::testAddTaintsActiveRecordList
Failed asserting that exception of type "Psalm\Exception\CodeException" is thrown.

4) Psalm\Tests\Config\Plugin\EventHandler\AddTaints\AddTaintsInterfaceTest::testTaintsArePassedByTaintedAssignments
Failed asserting that exception of type "Psalm\Exception\CodeException" is thrown.

FAILURES!
Tests: 5, Assertions: 4, Failures: 4.

I will start rebasing my old branch and apply your commit as well, so that you can reproduce.

@Patrick-Remy
Copy link
Contributor

Even rebased and with your commit applied, the test you mentioned is failing in the CI: https://github.com/vimeo/psalm/actions/runs/9747343000/job/26899836333?pr=10206

Therefor I will revert your change from my branch again, as mentioned in the PR description addTaintSource() was rewritten to immutability / purity. Adding again a side-effect there is a bit anti-design in my opinion.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Adding custom taint sources via plugin ignored
2 participants